I've found using a subdomain helps with that, spammers will try [email protected] but won't bother trying to brute force subdomains.

However be warned some surprisingly large websites don't support subdomains, for example eBay will silently send [email protected] to [email protected] and you'll only figure it out by looking at your server logs for rejected mail.

In those cases I have to specifically alias that [email protected] to the subdomain.

With this new Apple privacy subdomain maybe eBay will finally fix this.